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Abstract — Key establishment is the basic necessary tool in the 
network security, by which pairs In the network can establish 
shared keys for protecting their palrwlse communications. 
There have been some key agreement or predistribution 
schemes with the property that the key can be established 
without the Interaction (|3|, |4|, |19|). Recently the hierarchical 
cryptography and the key management for hierarchical networks 
have been active topics(see 151, ri3|, ri4|, |15|, ri6|, ri7|. ). Key 
agreement schemes for hierarchical networks were presented 
in flTl . tl3t which is based on the Blom key predistribution 
scheme(Blom KPS, [1]) and pairing. In this paper we introduce 
generalized Blom-Blundo et al key predistribution schemes. 
These generalized Blom-Blundo et al key predistribution schemes 
have the same security functionality as the Blom-Blundo et 
al KPS. However different and random these KPSs can be 
used for various parts of the networks for enhancing the 
resilience. We also present key predistribution schemes from a 
family hyperelliptic curves. These key predistribution schemes 
from different random curves can be used for various parts 
of hierarchical networks. Then the non-interactive, identity- 
based and dynamic key predlstrlbuton scheme based on this 
generalized Blom-Blundo et al KPSs and hyperelliptic curve 
KPSs for hierarchical networks with the following properties 
are constructed. 

T)0{AkU) storage at each node in the network where U is the 
expansion number and Ak is the number of nodes at the i^-th 
level of the hierarchical network; 

2)Strongly resilience to the compromising of arbitrary many 
leaf and Internal nodes; 
3)Information theoretical security without random oracle. 



I. Introduction 

Key establishment is basic tool for secure communication 
in networks, two nodes in networks can have agreed shared 
key that is only known to them, thus allowing the shared key 
for protecting their communications. In many environment 
there is significant advantage to non-interactive key agreement 
schemes which need not to use any communication between 
nodes. The Diffie-Hellman type key agreement protocol(see 
0]) is non-interactive, but some known public keys are 
needed which is a impractical for large networks. Recently 
key agreement using key predistribution schemes have been 
presented for very large networks such as, hierarchical 
networks and wireless sensor networks((IT2l, I?), ifTTl . ifTTIl . 
113, 0). 

The key predistribution scheme(KPS) was proposed by 
R.Blom in Eurocrypt 84 (II]). It was extended by C. Blundo 
et al in Crypto 92 (4). This cryptographic primitive has 
been a basic ingredient in the security of wireless sensor 
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networks(see ifTOl . ifTTI ) and hierarchical systems(see (TT\, 
Iil3n. However in the Blom and Blundo et al KPS, the size 
of the finite field in the KPS has to be larger than the number 
of users. The unique form of Blom-Blundo et al KPS has no 
flexibility in practical application. These are real drawbacks. 

In a HIERARCHICAL networks with n nodes, the root 
authority only needs to distribute the secret information to 
a small number of large organizations or group leaders, and 
then each of these can further distribute the secret information 
to smaller and smaller units(see ifTTl . ifTJl ). In this way 
we can think the nodes are arranged on a tree, the root of 
tree distributes the secret information of its children nodes 
and then each of these distributes secret information to its 
children nodes... each node only get its secret information 
from its parent node. Finally the leaf nodes get their secret 
information from their parent nodes. Each pair of nodes at 
the same level (including the leaf nodes and internal nodes) 
can compute their shared key by the secret information and 
the identities of themselves and their parents. This would 
help for group level authentication and confidentiality in the 
whole hierarchical network. The expansion number U is the 
maximal number of children nodes. 

In the application such as tactical networks, mobile ad-hoc 
networks, it is more reasonable to assume a Hierarchical 
network structure than a central trusted authority (see |17|, 
ifTSl . lfT3l ). On the other hand, the using of Hierarchical 
network structure can reduce the workload of of the TAs. The 
Hierarchical identity based encryption (HIBE) was studied in 
lfT6l . lfT4l . 0. In III], HIBE was used for the construction of 
forward secure encryption. The hierarchical key agreement 
has been studied in I.17J . 1.131 . 

In previous constructed key agreement schemes in IITtI and 
[13], every node in the hierarchical network needs the storage 

^ rT(ti+i)(*i+2) , .c . , .c . . .c 

of -Li 2 elements of the base field tor resistmg the 

compromising of ti nodes at i-th level of the hierarchical 
networks. It will grows exponentially when the number of 
levels in the hierarchical network tends to the infinity. The 
KAS in IIT3JI can only resist the attack of compromising 
arbitrary many leaf nodes. The security of KAS in |13|was 
proved with the random oracle model. The identity based key 
agreement scheme of lfT3l is dynamic, nodes can be added at 
each level of the hierarchy without changing the information 
of other nodes. 

In this paper we construct generalized Blom-Blundo 



et al key predistribution schemes and key predistribution 
schemes from a family of hyperelliptic curves. New random 
polynomials are introduced in the functions computing 
shared keys in these generalized Blom-Blundo et al key 
predistribution schemes. Hyerelliptic curve KPSs are 
constructed from different random curves. These new 
randomness and flexibility of our key predistribution 
schemes can be used to construct strongly resilient key 
predistribution schemes for hierarchical networks with low 
storage, communication and computation cost. The size 
of the base field of our new key predistribution schemes 
depends only on the expansion number U of the hierarchical 
network and the storage of every node is 0{AkU), where 
Ak is the number of nodes at K-i\\ level of the hierarchical 
network. Moreover the constructed hierarchical network key 
predistribution schemes are dynamic and non-interactive. Our 
key predistribution schemes for hierarchical networks can 
resist the compromising of arbitrary many of nodes with very 
low storage at every node. 



II. Blom-Blundo et al KPS 

Now we recall the definition of KPS by following the 
presentation in the paper of Stinson |[T9l . Suppose we have 
a Trusted Authority (TA) and a set of users U = {1, ...,n}. 
Let 2" be the set of afl subsets of the user set U. P C 2" 
will denote the collection of all privileged subsets to which 
the TA is distributing keys. F will denote the collection of 
all possible coalitions(forbidden subsets) against which each 
key is remain secure. In the Key Predistribution Scheme, 
at the set up stage, each user i get its secret information 
Ui from the TA, where Ui is taken in a finite dimensional 
linear space over GF{q). Once the secret information Ui, 
i = 1, ...,n , is given to each user, in the computation stage, 
for any privileged subset T £ P, the users in the privileged 
subset T can compute the shared key fc^ £ GF{q) for their 
communications. No forbidden subset J G F disjoint from 
T can get any information of the key Ut- This is called 
(P,F)-KPS. When P consists of afl subsets of U with t 
elements and F consists of subsets with at most w elements, 
we call it i-variable and w-secure KPS. Thus a i-variable and 
w-secure KPS can be used to get the shared keys of any subset 
with t users, which is secure against the attack of any w users. 

Generally the KPS is required information theoretically 
secure against the attack of the coalition of users, for the 
more formal presentation we refer to ||3], ID, ||T9l . 

The secret information Ui, i — l,...,n, is in the finite 
dimensional linear space over the finite field GF{q)^, where 
g is a prime power. Thus the storage is hlog2{q) bits. The 
shared key kr, for each privileged subset T £ P, is in 
GF{q). In the computation stage, each user i in T computes 
kr from its secret information Ui and the IDs of other users 
in the set T. Only the arithmetic in GF{q) is involved. We 
call GF{q) the base field of the KPS. 



The first KPS proposed in ||3| is a 2-variable and 
w-secure KPS, and it was generalized in f4] to a t- 
variable and lu-secure KPS. Let g be a prime power 
satisfying q > n. Each user i is assigned to an element 
Gi £ GF{q) as its identity. The TA takes a random t 
variable symmetric polynomial in GF{q)[xi, ...,xt] of the 
form f{x,,...,xt) = S-t\-..I]-±la,,...,,xf 
coefficients aj^...j^ in GF{q) where aj^,,,j^ 



Xj' with 



r.31 



^ni---ji. 



that is, fix^,...,xt) = J:it[---EJt\a,,...,,x{ 
GF{q)[xi,...,Xt] and f{xi,...,xt) = f{xi^,...,XiJ( 
{ii,...,it} is an arbitrary permutation of {!,..., t}). This 
polynomial is only known to the TA. The symmetric 
{t — 1) polynomial f{ei,X2,---,Xt) is given to the user i, 
i = l,...,n, as its secret information. For any privileged 
subset T — {e^j, ..., Eij}, each user in this subset T can 
compute the shared key kr = /(e^i , ..., e^J. 

In the case t — 2, this is just the KPS in [^. The bit length 
of secret information stored by each user in Blom-Blundo et 

alKPSis ('^^^^^Ylog2{q). 



III. Generalized Blom-Blundo et al key 

PREDISTRIBUTION SCHEMES 

In this section we present the generalized 2-variable and 
w-secure Blom-Blundo et al KPS, which can be extended 
easily to ^-variable and w-secure KPS. 



Let GF{q) be a fixed finite field, there are at least 



q^-^duq"^ 



distinct degree t irreducible polynomials in GF{q)[x\ Set 
P{x) — pi{x) ■ ■ -phix), where p/s are degree t irreducible 
polynomial in GF{q)[x]. This is a degree H ^ ht polynomial 
in GF{q)[x] which is not zero at any element in GF{q). 
Set u{x) = -p©, where f{x) is a degree w polynomial. 
Because P{x) ^ for any x £ GF{q), thus u{x) is defined 
for any x £ GF{q). Let ui = ^-^ ...,u,„^-^ = n^ , where 

/l 1 ■ • ■ 1 /u 



p 1 ■•■1 ^u?-hl p 

ii,-.-,jw+i is a base of the linear space of all polynomials 
in GF{q)[x] with degree less than or equal to w, be a 
base of the linear space of all these functions, for example 

^i(^) = T^'^^sCa;) = -p^,...,-u^,+i(a;) 



p^x)' 



Pl^- 



Suppose H > w the 2-variable and lu-secure KPS 
associated with P{x) on the set of q users defined over 
GF{q) can be constructed as follows. The elements in 
GF{q) are assigned to the users as their IDs. The TA 
takes a random F{P,Q) — Yi^^-^,^aijUi{P)uj{Q), where 
fly = aj,;(then F{P,Q) = F{Q,P)) where P,Q e GF{q). 
The function F{P = ei,Q), as a function of Q, where 
e,; £ GF{q), can be given to the user e; as its secret 
information. The shared key of the users with IDs e, and 
ej is F{P = ei,Q = Cj). The bit length of the secret 
information stored by each user is {H + w + 2)log2{q)- 
Here {H + l)log2q bits are used to store the polynomial P{x). 

Theorem 1. Suppose H > w the above KPS is w-secure. 



Proof. We take the matrix of u; + 1 rows and q columns 
with the entry at i row and j column is Ui{xj), where Xj is the 
j-th element in GF{q). This is actually a rank w + 1 matrix. 
Actually any linear combination of w + 1 rows vi, ..., v^+i 
of this matrix can not be zero at more than w positions, since 
the function cim + ■ • • + c^,+iu,„+i = '^ '" ^"+""'+i 
cannot have more than w zero points. Then the tu-security of 
the above KPS follows from the same argument as in [1]. 

The functions in the generaUzed Blom-Blundo et al 
KPSs have poles at the extension fields of GF{q). If the 
polynomials P's are distinct, these poles are distinct elements 
in the extension fields. Thus it is impossible for these 
functions in KPSlPrandom)'^ have an monic polynomial 
relation. That is, it is impossible to express the symmetric 
function used in one generalized Blom Blundo et al KPS as 
the polynomials of symmetric functions of other different 
generalized Blom Blundo et al KPSs. 

The i-variable version of the generalized Bom-Blundo 
et al KPSs will not be used in the hierarchical network 
key predistribution schemes given in section V. We include 
the construction here for the convenience of the readers. 
The i-variable and w-secure generalized Blom-Blundo et 
al KPS associated with P{x) on the set of q users defined 
over GF{q) can be constructed as follows. The elements in 
GF{q) are assigned to the users as their IDs. The TA takes a 
random F(Fi,..., Ft) = Y.i^...i^ai^...i^Ui^{Pi) x ••• xui^{Pt), 
where ai^...i^ are symmetric about its subindices (then F is 
symmetric about its variables) where Pi,...,Pt S GF{q). 
The t — 1 variable function F{P=x,P2, ■■■,Pt) can be given 
to the user with ID = x as its secret information. The shared 
key of the t users with IDs ei,...,et is F{ei, ...,et). The 
bit length of the secret information stored by each user is 

/^ -. ) log2{q) + {H + l)log2q. Here {H + l)log2q bits 

are used for the storage of the polynomial P{x). 

The proof of the w-security of this t-variable KPS is 
directly since any w + 1 columns of the matrix in Theorem 1 
are linearly independent. 

Then how many different such KPSs can we have? We 



least Bh = 'St\H{- 



-T.Mtq-'-.H 



know there are at least Bh = '^t\H{- 



-) t polynomials 



P(x) from the above argument corresponding to at least 
B such KPSs. When w is a prime number Bh = ^~^^- 
This is quite large when both q and H satisfying q > H 
tends to the infinity. Thus there are sufficiently such different 
KPS{Pys for the randomness we need in the design of KPS 
for the wireless sensor networks. Generally this number can 
be computed by zeta functions associated with the rational 
curve(see [16]). 



) ~ possible polynomials 
P{x) G GF{q)[x] in the computation of the shared keys. 
Hence the shared keys can be adjusted by these polynomials. 
So the randomness we needed in the design of KPS comes 
from these polynomials P G GF{q)[x]. 



How can we use these irreducible polynomials in the 
implementation of the generalized Blom-Blundo et al KPSs? 
From the theory of finite fields, there are an enumeration of 
irreducible polynomials of arbitrary fixed degree. For these 
low degrees, some tables of irreducible polynomials over 
GF{2) and GF{3) were listed in the standard textbooks 
of finite fields. It can be used for the implementation of 
generalized Blom-Blundo et al KPSs for which we take 
h = J- large positive integer and t small positive integer. 



Example 1. Let p{x) = 1 + 2a; + x^ G GF{9)[x]. It is 
to check p{x) is an irreducible polynomial in GF{3)[x] and 
thus irreducible in GF{9)[x], since the root is in GF{27) 
and the intersection of Gi^(9) and GF(27) is GF(3). Set 

We can have a 2-variable and 3-secure KPS{p) 
on the set of 9 players by taking random function 



Fi^,y) = ^t 



-.l.j=l^i3 



hfo = S3^o,j=oa*j^^, where 



are random elements in GF{9). 



Example 2. Let p{x) = x'^ + x + I G GF{2)[x\. 
This is an irreducible polynomial in GF{2)[x\. It is 
easy to check p{x) is also irreducible in GF{2'^^)[x\, 
otherwise the intersection of 6*^(128) and Gi^(2") is 
bigger than GF{2). If 7h < 2" = 2048, the functions 
A = ^,/2 = ^,...,/7h = ^ can be used to get 
a 2-variable and 7/i-secure generalized Blom-Blundo et al 
KPS. The setup server takes a random symmetric function 



^7h 



where a^ 



are random 



elements in GF(2^^). The setup server then predistributes 
F{ei,y) to the sensor node with ID — e e GF{2^^) as 
its secret information. The shared key of two sensor nodes 
with IDs e,e' G GF(2i°) is F(e,e'). This generalized 
Blom-Blundo KPS can be used for at most 2^^ = 1024 sensor 
nodes. Since 7 is a prime number ^ ~^ = 18, we have at least 
18 distinct degree 7 irreducible polynomials in GF{2)[x]. 
These polynomials are also irreducible in GF(2^^)[a;]. If 
7h < 2048, we can have at least (18'' distinct 2-variable 
and 7/i-secure KPSs on the set of 2048 sensor nodes. All 
these distinct KPSs have the same security functionality as 
2-variable and 7/i-secure Blom-Blundo et al KPS. Thus these 
distinct generalized Blom-Blundo et al KPSs can be used for 
the various parts of the wireless sensor networks. 



When /i — l,...,/ii,+i = .T™ in the above 
generalized 2-variable and w-secure KPS, we 
have the shared key is computed by the function 



■"i=0,i=0'"y P(x) P{y) 



P{x)P(y) 



There are at 



The generalized Blom-Blundo et al key predistribution 
schemes can be used for disigning strongly resilient wireless 
sensor networks KPSs(see JS)). 



IV. Random key predistribution schemes from 

HYPERELLIPTIC CURVES 

A. Key predistribution schemes from a family of hyperelliptic 
curves 

Let q be an odd prime power, Xa be the hyperelliptic curve 
y^ = x"^ + q + a defined over GF{q^), where a e GF{q) 
is an arbitrary element in GF{q) C GF{q^). The genus 



Though we need not to use the i-variable case in section V 
for the key predistribution schemes of hierarchical networks 
the construction is included here for the convenience of the 
readers. The above 2-variable and w-secure KPS can be 
extended to i-variable and lu-secure KPS as follows, the TA 
can take Xa for a random a e GF{q) and a random function 

F(Fi,,...,PO = Sr^+^ia,,...,J,,(Pi) X ... X /,,(P,J e 
L{{w + q - l)Q) ® .•• ® L{{w + q - l)Q), where 



of this curve is ^(see [14]). For each x e GF{q^), (P,^, ...,P,^) e Xa x ■ ■ ■ x X^. Hem a. 



= TrQp(^q2yQp(^q^{x) is an element in GF(q). Thus 
x'^ + X + a G GF{q). It is easy to show that each element 
in GF{q) C GF{q^) is a square element, thus we have 
2q^ affine GF{q^) rational points on Xa, and one GF{q^) 
rational point Q at the infinity, x has a 2-th pole at the 
point Q and y has a g-th pole at the infinity. Let L{uQ) 
be the linear space of rational functions on the hyperelliptic 
curve with only pole at the point Q and the pole order 
not bigger than u. It is known that {x^y^\2i + qj < u}, 
under the reduction y^ = x"^ + x + a, is a base of the 
function space L{uQ) if u > 2g — 1 — q — 2, which is a 
u — g + 1 dimensional space over GF{q). For example when 
u = 2q, then {1, x, ..., a;T~ , y, ycc, ..., yx^"} is a base of 
i((2g)Q)(see [14]). 

Suppose g > 5. We have a key predistribution scheme over 
GF{q^) on the set of 2q^ users, the TA can take Xa for 
a random a G GF{q) and a random function F{Pi,P2) = 

K,t^avhiPi)f3iP2) e L{{w+q~l)Q)<g>L{{w+q^l)Q), 
where (Pi,P2) G Xa x Xa- Here a^ is symmetric about i 
and j, /i, ...,/„ I 9+1 is a base of L{{w + q ~ 1)Q) of the 
form x'ly''^ Then F(Pi = T4^,P2) G L((w + q- 1)Q) is 
given to the user with the ID ~ W as its secret information. 
For the users with ID — W and ID = W', the shared key 
between them is F{W, W) G GF{q^). It is clear that in this 
(2,w) KPS over GF{q'^) on the set of 2q^ users the storage 
of secret information of each user is 2(w + ^^-^)log2{q) bits. 

Theorem 2. The above key predistribution scheme is 
w-secure. 

Proof. We consider the {w + ^^) x {2q^) matrix by 
evaluating the w + ^^ base functions of L{{w + q — 1)Q) 
at the 2q^ points described as above. This is actually the 
generator matrix of the algebraic geometric code(see [14]). It 
is well-known the minimum Hamming distance of the dual 
code is at least w + 2(see [14]). Thus any w + l columns of the 
above matrix are linear independent vectors in GF{q'^)^^ ~ . 
From the construction of Blom key predistribution scheme in 
[l](also see [11] pages 236-237), the above construction is a 
ui-secure key predistribution scheme on 2q^ users. 

In this family of key predistribution schemes KPS{a) 
on the set of 2q^ users, where a is the parameter of curve 
equation, the shared keys are computed in a field with q^ 
elements. The randomness of of these KPSs are from random 
curves instead of polynomials in the generalized Blom KPSs. 



jj, where 



ji-.-jt is an arbitrary permutation of ii... it, and /i, ..., /^ , 9+1 
is a base of L{{w + q — 1)Q) of the form x\y^'^ . Then 
P(Pij = W,Pi^,...,Pi^) of t — 1 variables is given to the 
user with the ID = W as its secret information. For the users 
with IDi = Wi,...,IDt = Wt, the shared key for them is 
F{Wi, ...Wt) G GF{q^). It can be proved similarly as above 
that this i-variable and w-secure KPS over GF{q^) on the set 
of 2q^ users. The storage of secret information of each user 



is 2 



t + w + ^ 
t-l 



log2{q) bits. The detailed construction 



and the proof will be included in our future paper [9]. 



B. Implementation 

In the key predistribution schemes from hyperelliptic 
curve Xa where a can take any element in GF{q), the TA 
can assign the coordinates of the GF{q) rational points of 
the hyperelliptic curve Xa,a G GF{q) to the 2q^ users 
as their IDs. Then the TA can fix a base of the function 
space L{{'w + g — 1)Q) as above. The process of these key 
predistribution schemes is the same as in Blom KPS, the only 
difference is the polynomials and the elements of the finite 
field are replaced by rational functions in L{{w + q—l)Q) and 
GF{q^) rational points of the curve. It should be noted that 
the same monimial base as above can be used for arbitrary 
curve Xa,a G GF{q), in the process of the computation 
of the shared keys, the reduction used on the curve Xa is 
y"^ = x^ + X ^- a. The parameter a playes the critical role in 
the computation of shared keys in the hyperelliptic curve key 



preditribution schemes. Here [w 



9+1 



)log2{q) bits of secret 



information need to be stored by each user. 



V. Strongly resilient key predistribution schemes 

FOR HIERARCHICAL NETWORKS 

Let R be the root authority, it has at most Ai children nodes 
Ri,...,Rai, each Ri has Aj-j) children nodes, Rii...RiA^.y 
A2 — SA(i) is number of all nodes at the 3rd level. We 
assume the hierarchical system has i + 1 levels. The node at 
the K level is denoted by Piiia-ijc-i' which has A(i^i2...iK-i) 
children nodes. Here ij is its number at the j-th level. Let 



Ak = SA 



(lll2...lA--l) 



is the number of all nodes at the 



K + 1-th level. We assume A(ij i^) < U for any possible 
subindices, that is, for each node, it has at most U children 
nodes. U is called the expansion number. 



A. Generalized Blom-Blundo et al key predistribution schemes 
for hierarchical networks 

We fix a prime power q > 2U and a positive integer t such 



and R,.^ use KPS{P^. 



to give secret information to 



that 



-Sdltg" 



> q and 2U — 1 ~ th for some positive integer 
h. We consider the q irreducible polynomials of degree t 
Pi,...,Pq € GF{q)[x] and a one-to-one correspondence 
between Paj^,...,Pa and the elements ai,...,aq of GF{q) 

.iK-2 ^'^ '^he K — 1- 
at the K level is 



will be used. For any parent node Ri-^, 
th level, each child node Rii...iK-2j 



assigned an element in GF{q) as its ID. There are at least 



their children nodes Ri-^j's and Ri.^j's. It should be noted 
sj+l e GF{q) since s,,,, e GF{q^). When R,j, and i?,,, 
want to find their shared key, they can use KPS{Pai, ^^'^ 
when -Riiji and Ri2J2 want to find their shared key, they can 
use KPS{P^q+i ). This process can proceed to all the levels. 

That is, Ri^...i„ randomly picks up KPS[Psi i ) ' where 
Sii...i^ G GF{q), for the shared key among its children nodes. 
The nodes Ri^...i^ and Ri' ii use their shared key si^i' ,,,i^ii 
to fix a KPS{P ,+1 ), then this KPS is used for the 



(' 



-^ditq" 



)'^ > q different (2, 2U - 2) curve-KPS on the set shared key between the children nodes of Rii...i^ and Ri' . 



of 2U users defined over GF{q). The KPS associated with 
the polynomial P^ is denoted by KPS{Pai) 

The root authority R uses the random KPS{Ps), where s 
is a random element in GF{q), to give the secret information 
to each of its child node Ri, where i < Ai. The bit length 
of the secret information is 2{U — l)log2{q). For each node 
Ri at the 2nd level, Ri randomly picks up KPS{Psi), 
where Si e GF{q) is random element in GF{q), to give 
each of its child node the secret information. For any 
two Riiji and Ri2J2 at the 3rd level, i?^^ and Ri^ at the 
2nd level can have a shared key Si^^i^ in GF{q) from the 
KPS{Ps), then Ri^ and Ri^ use KPS{Ps,_^,^) to give secret 
information to their children nodes Ri-^j's and Ri^j's- When 
Rij-^ and Rij^ want to find their shared key, they can use 
KPS{Psi, ^i^d when Ri-^j-^ and Ri2J2 want to find their 
shared key, they can use KPS{Psi t )■ This process can 
proceed to all the levels. That is, Ri^...i^ randomly picks up 
KPS{Psi i ) for '^he shared key among its children nodes. 



and Ri 



and Ri' 



use their shared key Si^i' 
to fix a KPSiPs , , ), then this KPS is used for the 
shared key between the children nodes of Ri^...i^ and i?^' ^z . 

The bit length stored in each node at the K + 1-th level is 
2Ak{2U — l)log2{q) and the computation of the shared key 
is mainly the {2U — 1) times of multiplications of the finite 
field GF{q). 



B. Hyperelliptic curve key predistribution schemes for hierar- 
chical networks 

We denote the generalized {2,2U — 2) curve-KPS on 
the set of 2f7 < 2q^ users defined over GF{q^) from the 
hyperellptic curve X : y^ — x'' + x + a as in section 3.1 
as KPS{a) with parameter a from the finite field GF{q). 
We take a finite field GF{q^) satisfying 2U < 2q^. The 
root authority R uses the random KPS{a), that is a is 
randomly picked up from the finite field GF{q), to give 
the secret information to each of its child node Ri. The bit 
length of the secret information is 2{2U + ^^^)log2{q^)- 
For each node Ri at the 2nd level, Ri randomly picks up 
KPS{Pai), where a^ G GF{q), to give each of its child 
node the secret information. For any two Ri^j^ and Ri2J2 
at the 3rd level, Ri^ and Ri2 at the 2nd level can have a 
shared key s^^i^ in GF{q^) from the KPS{a), then Ri^ 



The field size in this hyperelliptic curve-KAS for the 
lerarchical system has to sati; 
weaker than the previous KAS. 



hierarchical system has to satisfy q^ > %, which is much 



The bit length of the secret information stored in each 
node at the K + 1-th level is 2Ak{2U + ^)log2{q^) and at 
most 4U + g — 3 times of multiplications of the field GF{q^) 
are used for computing the shared key. 



C. Key predistribution schemes for dynamic hierarchical net- 
works 

In the above hierarchical KAS, when q > 2A^i^i^_^) is 
valid in genus KPS and q^ > A(j^ j^^) in hyperelliptic 
curve KPS, nodes can be added by the parent node Ri^...iK-i 
to the hierarchy. That is, if we choose q with suitable large size, 
the hierarchical nodes can added by the parent node without 
change the settings of other nodes. 

VI. Information theoretical security 
Because the number of children nodes of each node 
A(iii2...iK) ^ U ^i^d we use {2,2U — 2) KPS, the adversary 
compromising less than 2U nodes cannot get the full 
information of the KPS used, if the adversary compromise all 
children nodes (at the K + 1-th level) of the nodes Ri^...iK-i 



and Ra 



the KPS used can be deleted and all the 



children nodes in the further levels of the nodes Ri^...iK~i ^^^ 
Ri' ,,,i' and themselves can be deleted without any impact 
on the key agreement scheme of the other nodes, since we 
use the RANDOM KPS associated with random polynomials 
or from random curves for the key predistribution for the 
un-compromised nodes and their children nodes. The point 
here is, after deleting the compromising nodes, their children 
nodes and their parent nodes, the secret information stored 
in un-compromised nodes is random and the shared keys of 
the un-compromised nodes are uniformly distrubited random 
variables from the view of the compromised nodes. 



VII. Conclusion 

In this paper the generalized Blom-Blundo eta la key 
predistribution schemes and key predistribution schemes from 
hyperelliptic curves have been constructed. This kind of 
KPSs is flexible and can be used to construct hierarchical 



1991. 



network key predistribution schemes. The size of shared keys [20] M. A. Tsfasman and S. G. Vladu{. Algebraic-Geometric Codes, Kluwer, 

only depends on the expansion numbers of nodes. These 
hierarchical network KPSs are identity based and dynamic. 
They are more efficient than the previously known hierarchical 
key agreement schemes and information theoretical secure 
against the compromising of arbitrary many internal and leaf 
nodes. The storage of each node is linear about the number 
of nodes at each level. 
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